Account Takeover, or ATO, is a term that has become all too familiar. Credentials exposed in 3rd party breaches are now routinely used by criminals to perpetrate fraud, steal intellectual property and sell it on underground markets. ATOs are quick, scale rapidly and cause collateral damage that can last for years.
Some security practitioners think that all account takeovers are stopped if they have behavior-based bot mitigation in place. The truth is, those solutions only focus on the later part of the ATO timeline. There is an entirely different attack pattern taking place in the first 18-24 months after a breach occurs that you need to solve for.
“SpyCloud is the authority on account takeover prevention.”
– Richard Farley, Chief Information Security Officer at Zoom
Account Takeover Timeline
Before we can touch on ATO prevention efforts, we have to understand the timeline.
Phase 1 – The Breach
Criminals find and exploit vulnerabilities in popular websites and forums to gain access to their user database. Think Yahoo, Dropbox and Dubsmash. These publicized breaches impacted more than a billion people and not only exposed these users’ passwords, but even more sensitive information like account questions/answers, dates of birth, gender, etc.
Phase 2 – Targeted Attacks
During this time, credentials are high-value assets. Criminals typically keep stolen information contained within their trusted network until they’ve fully monetized the data, which can be as long as 24 months. After harvesting a stolen dataset, the attacker may engage trusted advisors to help them parse the data and decrypt passwords. They identify exceptionally wealthy or high-profile victims who should be treated differently than the rest, and get creative in targeting them with manual account takeover and beyond — i.e. blackmail and extortion.
Having extracted as much value out of the stolen data as possible, the next step is to package it for sale to less sophisticated criminals, who can automate credential stuffing attacks with minimal effort, expense or expertise. Essentially, at this point the stolen credentials have become commodities.
Phase 4 – Credential Stuffing
Once criminals have purchased a list of usernames and passwords, they attempt to enter the same credentials on multiple other websites in a process called credential stuffing. Criminals can download easy-to-use tools and scale up their attacks with the use of automated botnets. Because so many people reuse passwords on multiple accounts out of convenience, this hacking method can be quite lucrative and relatively easy. But eventually the volume of attacks using the exposed credentials surges to the point where the public becomes aware of the need to change their password, and the value to criminals substantially diminishes.
For companies who recognize that it’s not a matter of if but when, the real power lies in preventative steps.
Unfortunately, many well-intentioned security professionals believe they are protecting their company and employees from account takeover if they simply invest in password managers and MFA.
According to the last 4 Verizon Data Breach Investigation Reports, the use of stolen credentials remains the #1 way criminals gain access to accounts and the sensitive information within. Over 80% of hacking-related breaches involve compromised and weak credentials, and 29% of all breaches, regardless of attack type, use stolen credentials.
The truth is, behavior-based technologies, password managers, password rotation, multi-factor authentication and scanner solutions are not effective security controls when used alone. They do not prevent account takeover, do not alert security/IT personnel of ATO, and do not provide the means by which leaders can find exposed credentials on the underground. Protection from account takeover requires more.
Steps to Prevent Account Takeover
Step 1: Fortify Passwords
The key to stopping account takeover fraud is to prevent it in the first place. A proactive strategy is much more effective than constantly playing defense. To truly prevent account takeover before it happens, companies must first prevent employees from choosing previously compromised and/or too simple passwords. This begins with educating employees on the importance of choosing unique, strong passwords that they can remember but are difficult to guess. NIST guidelines changed to recommend the same. They recognized that 16-character, random and difficult passwords may fool the criminals, but they are nearly impossible to remember by the user.
The compromise is to follow NIST password standards and implement an automated password check into the user registration process. The preventative solution cross-checks each attempted password creation against a database containing previously exposed passwords. If a match is found or the password is too simple, the user is prevented from registering their account until they choose a stronger one that has not been compromised. The quality, breadth and timeliness of this database are critical. If the database is partial or isn’t updated to contain real-time data, matches are likely to be missed.
Step 2: Intervene Early
The next step is to prevent any stolen credentials from being sold to the communities of criminals in the underground. Typically once compromised passwords are discovered by scanners, crawlers and scrapers, the damage has been done. The credentials have already been sold on public forums.
When passwords are strong, unique and have never been compromised, account takeover resulting from password reuse is unlikely. Proactively protecting accounts that are currently exposed to ATOs, however, requires sophisticated technology that accesses the same data as the criminals. If a company is relying on scanners, web crawlers and forum scrapers, they may only find an exposure late in the ATO lifecycle. By then, the stolen credentials have already been sold to criminal communities. At this point, all that can be done is attempt to control the damage.
Step 3: Stop the Bleed
If credentials are found to be exposed, an effective security solution will be able to automatically and instantly force a password reset. The user is locked out of all accounts until they change their password to a unique, strong and previously unexposed password. Administrators should be alerted and the account should be monitored for suspicious activity for the long haul.
It is recommended that the user with the stolen credentials survey all of their accounts, personal and work-related, to ensure the password and any variations are not being used anywhere else. Once a password is compromised, it is highly likely that it will fall victim to credential stuffing to see if there is a match in any other application or website. Changing all instances of this password is critical.
Choose the Right Account Takeover Prevention Solution
Putting a stop to ATOs requires investing in a solution that identifies compromised passwords early in the attack timeline and enables fast, automated remediation.
Using human intelligence (HUMINT) and applied research, the solution should flag your user exposures from 3rd party breaches well before they are found with scanners, web crawlers and forum scapers, and well before the stolen credentials are sold on the underground. The solution should also find and identify internal machines that may be infected with malware, monitor suspicious activity, and attempt to recover any stolen data.
Account takeover prevention requires constant monitoring of every employee and/or consumer account, constant cross-checking against a robust database of the most current breach data available, integration with existing systems, and automated remediation.